[AWS Secret Backend] STS lease and lease_max time

[Sebastien Aucouturier]

Hi,

i need my AWS backend to not deliver token to user that request a ttl that exceed lease_max.

It it possible ???

So far my tests failed to set it.

i do :

./vault write aws/config/lease lease=30m lease_max=45m

but : 

when i run :

./vault write aws/sts/ec2 @ttl.json

with ttl.json : 

{

  "ttl": "120m"

}

the token have  the request lease_duration 1h59m59s  > lease_max

if i run

 ./vault read  aws/sts/ec2 

lease_duration is  59m58s  not the lease i set in config.

So is it a bug or miscomprehension from myself ?

Any help appreciate. Thanks

[Jeff Mitchell]

Hi Sebastien,

This is expected. From the documentation for AWS regarding STS lifetime:

"The duration, in seconds, that the credentials
should remain valid. Acceptable durations for IAM user sessions range from 900
seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12
hours) as the default. Sessions for AWS account owners are restricted to a
maximum of 3600 seconds (one hour). If the duration is longer than one hour,
the session for AWS account owners defaults to one hour."

Since you are configuring a period of two hours, it's being limited down to an hour.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/676e4640-ba21-4a69-a056-2f4f8a97eb9c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sebastien Aucouturier]

Hi Jeff,

thanks a lot for explanation.

is there a way to configure the backend to  never deliver token that exceed a specific ttl value.

An example :

  i do not want the STS token exceed 30 min ttl  ,

 

  if an application request a STS token with 45min ttl , the backend will  deliver a max  30 min ttl STS token.

  if an application request a STS token with 20min ttl , the backend will  deliver a 20 min ttl STS token.

Best regards

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Jeff Mitchell]

Hi Sebastian,

You can configure it to be 30m instead of 120m in your configuration file.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/53f87314-3b71-4368-83e4-c0ce3415e6d1%40googlegroups.com.

[Matthew Ceroni]

I might not be understanding this but I have run into this issue.

I set the max_ttl and ttl lease to 30m. When I request an STS token the lease duration returned always lists 60m. (even when setting -ttl option).

Much like the original poster, they set their lease to 30m and 45m, they tried to request 120m but it set lease duration to 60m (over what is set as the max in the lease config). 

[Sebastien Aucouturier]

Thanks a lot matthew,

i feel less lonely trying to get it work.

[Matthew Ceroni]

No further assistance on what we might be doing wrong?

[Sebastien Aucouturier]

Matthew,

i will go though the git to open an issue ..you re with me ?

[Jeff Mitchell]

Hi,

It seems like the TTL for an STS token can only be configured currently at request time.

Best,

Jeff

On Thu, Feb 8, 2018 at 5:04 AM, Sebastien Aucouturier <sebastien....@gmail.com> wrote:

Matthew,

i will go though the git to open an issue ..you re with me ?

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d59d5156-4f61-4b6e-afc2-3737a1bf3600%40googlegroups.com.